xfrm is an IP
framework for transforming packets (such as encrypting their
payloads). This framework is used to implement the IPsec
protocol suite (with the state object operating on
the Security Association Database, and the policy
object operating on the Security Policy Database). It is
also used for the IP Payload Compression Protocol and
features of Mobile IPv6.

contains one or more of the
following optional flags: noecn, decap-dscp,
nopmtudisc, wildrecv, icmp,
af-unspec, align4, or esn.

SELECTOR

selects the traffic that will
be controlled by the policy, based on the source address,
the destination address, the network device, and/or
UPSPEC.

UPSPEC

selects traffic by protocol. For the tcp,
udp, sctp, or dccp protocols, the
source and destination port can optionally be specified. For
the icmp, ipv6-icmp, or mobility-header
protocols, the type and code numbers can optionally be
specified. For the gre protocol, the key can
optionally be specified as a dotted-quad or number. Other
protocols can be selected by name or number
PROTO.

used to set the output mark to
influence the routing of the packets emitted by the
state

nosock

filter (remove) all socket
policies from the output.

SELECTOR

selects the traffic that will
be controlled by the policy, based on the source address,
the destination address, the network device, and/or
UPSPEC.

UPSPEC

selects traffic by protocol. For the tcp,
udp, sctp, or dccp protocols, the
source and destination port can optionally be specified. For
the icmp, ipv6-icmp, or mobility-header
protocols, the type and code numbers can optionally be
specified. For the gre protocol, the key can
optionally be specified as a dotted-quad or number. Other
protocols can be selected by name or number
PROTO.

specifies the minimum local
address prefix length of policies that are stored in the
Security Policy Database hash table.

RBITS

specifies the minimum remote address prefix length of
policies that are stored in the Security Policy Database
hash table.

The xfrm
objects to monitor can be optionally specified.

If the
all-nsid option is set, the program listens to all
network namespaces that have a nsid assigned into the
network namespace were the program is running. A prefix is
displayed to show the network namespace where the message
originates. Example: